Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Free solutions for detecting proxies

  1. Jun 8, 2015 #1
    For security reasons, There is an IP-logger on my website, also logging reference page. What I've noticed is repeated visitors from Beijing, Microsoft or Google INC. Also getting visits from websites like: "http://hvd-store.com/".

    How can I detect a proxy without paying for some service? I've been estimating proxies from Network Organization information and by googling the IP, but I don't have any automatic mechanism that I can use to display threat-info or into the page for other admins to see, something like "detected proxy"/"Individual".

    And is there a way to detect and differentiate bots, search-spiders and proxies? it's hard to be sure if the ones from Microsoft and Google INC are web-spiders or someone with bad intents.

    An example of a suspicious visit logged:

    Network Organization: AS16276 OVH SAS
    Ref-page: http://hvd-store.com/
    IP: 176.31.182.218
    Location: Paris
    Browser: Google Chrome

    A bot that hangs around,

    Network Organization: AS55967 Beijing Baidu Netcom Science and Technology Co., Ltd.
    Ref-page: no ref-page
    IP: 180.76.15.34
    Location: Beijing
    Browser: Unknown

    I thought this was a spider, but it has a browser so I am led to believe it's something different:

    Network Organization: AS15169 Google Inc.
    Ref-page: no ref-page
    IP: 66.249.93.252
    Location: Mountain View
    Browser: Mozilla Firefox

    -Thanks in advance.
     
    Last edited by a moderator: Aug 14, 2015
  2. jcsd
  3. Jun 8, 2015 #2
  4. Jun 8, 2015 #3
    It's a probability game. For instance you can find lists of Tor exit node IPs, that will give you some clue. But I can tell you from a pure computer science perspective, its just not possible to detect all proxies, even if you pay for a service. As a thought experiment, imagine someone A who calls a friend B and tells them to visit your page, and read what they find there. How do you detect anything about A from B? You don't, and digital versions of the same process will reveal nothing about A either. Download Teamviewer, and launch a browser on a remote computer to view your site. How can you tell that its being remotely invoked by Teamviewer and seen by another computer? You can't. Its really something you need to set aside to accomplish your security goals.
     
  5. Jun 9, 2015 #4

    meBigGuy

    User Avatar
    Gold Member

    176.31.182.218 is listed as a TOR exit node.

    180-76-15-34 has hostname baiduspider-180-76-15-34.crawl.baidu.com

    66.249.93.252 has hostname google-proxy-66-249-93-252.google.com

    If I was going to try to do this I would check headers, proxy lists, tor exits, and check for open common proxy ports and do an automated search on google like +"66.249.93.252" proxy

    But Foolality is right. Can't get them all. And some proxy accesses might be legit (didn't all AOL accesses come through a proxy? don't remember).

    Logging what people throw at your computer is a great way to collect exploits. I would think one could look for suspicious requests and list those IP's (but maybe that's impractical -- I'm not a security expert)
     
  6. Aug 14, 2015 #5

    jtbell

    User Avatar

    Staff: Mentor

    "hvd-store.com" turned up in my web site log file today:



    These are requests for my home page (GET /) from the IP address 89.105.194.71, which appear to be the result of clicking on a link on the home page at http://hvd-store.com/. I haven't gone to hvd-store.com to look, but I would wager strong odds that there is not actually a link to my site there. It would probably at best try to sell me something, or at worst try to infect my computer with malware. This is called "referrer spam", which tries to trick curious web site owners into following the links to see who is apparently linking to their sites. It's created by bots which fetch pages from your site, inserting the spam site URL into the referrer field of the requests.

    Whenever I see a new referrer in my log file, and it doesn't seem to be related to the topic of my site, I do a Google search on it to try to find out something about it, before deciding whether to click on the link. In this case I didn't find anything for "hvd-store.com" which gave any indication of what this site is actually about, which is why I didn't go there. This thread turned up on the first page of that search. :smile:

    http://whatismyipaddress.com/ip-lookup gives the following information about the originating IP address:

    IP: 89.105.194.71
    Decimal: 1500103239
    Hostname: tor-exit-readme.as24875.net
    ASN: 24875
    ISP: Avira B.V.
    Organization: Avira B.V.
    Services: Confirmed proxy server
    Tor exit node
    Recently reported forum spam source. (83)

    http://whatismyipaddress.com/hostname-ip gives me the following IP addresses for hvd-store.com:

    Lookup Hostname: hvd-store.com
    Lookup IPv4 Address: 208.73.210.217
    Lookup IPv4 Address: 208.73.211.178
    Lookup IPv4 Address: 208.73.210.200
    Lookup IPv4 Address: 208.73.210.214

    Plugging the first address back into the ip-lookup tool gives me

    General IP Information
    IP: 208.73.210.217
    Decimal: 3494499033
    Hostname: 208.73.210.217
    ASN: 40034
    ISP: Oversee.net
    Organization: Confluence Networks
    Services: None detected
    Type: Broadband
    Assignment: Static IP
    Blacklist:
    Geolocation Information
    Continent: North America
    Country: United States us.png
    State/Region: California
    City: Los Angeles
    Latitude: 34.0533 (34° 3′ 11.88″ N)
    Longitude: -118.2549 (118° 15′ 17.64″ W)
    Postal Code: 90071
     
    Last edited by a moderator: May 7, 2017
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook




Similar Discussions: Free solutions for detecting proxies
Loading...